Hi all - I've been running a TOR non-exit relay for several months now.
Its rare, but I'm seeing what I believe is the occasional connection
attack, with my relay complaining about the number of connections and
suggesting I reduce capacity. Those are rare, and most of the time my
server is running at about 20% CPU. During attacks, which seem unrelated
to my Tor Upload/Download rate, CPU jumps to well over 100% (quad core,
so 400% is max).
I'd normally just ignore this, but it seems to be impacting other
aspects of my network experience: Messenger Rooms will unexpected
close, NetFlix gets "unable to stream this title", family complains
about slow and dropped connections, etc. Just had it happen a few
minutes ago with a Messenger Room and sure enough, CPU is at 130%, even
though I'm only pumping about 15MB/Sec (37.5MB/S limit, 56.2 burst, 40.3
observered) over my gigabit ISP connection. Speedtest shows the
performing within acceptable parameters.
So contemplating what I can do, since this is bothersome. I've come up
with a few alternatives, and curious about your thoughts:
1) Do some type of connection limiting at my PFSense Plus firewall.
Perhaps limiting things to, say, 30 connections per IP address? Not
even sure that is possible, but figure it might lighten the load on the
TOR server.
2) Drop being a TOR non-exit relay and convert to a bridge. Not sure
how long, if ever, it would take for my IP address, which is now public,
to fade off of block lists... Not ideal, but at least as a bridge I'd
still be servicing the environment.
3) Try connection limiting via iptables on the TOR host. Just seems
like doing that at the firewall would be better.
Thoughts?
Kevin